The
Privacy Rights Clearinghouse (PRC) respectfully submits the following comments
to the Department of Education (Department) for its consideration with respect
to the call for public comment in its Notice of Proposed Rulemaking (NPRM)
regarding the Family Educational Rights and Privacy Act of 1974 (FERPA).[1]

I. Background

The
PRC is a nonprofit organization, established in 1992 and located in San Diego,
California.[2]
Our mission is two-part: consumer education and consumer advocacy. We have published more than 50 Fact Sheets
that provide practical information consumers may employ to safeguard their
personal information, and we invite individuals to contact the organization
with their privacy-related questions, concerns and complaints.

II. General
Statements

The
Department proposes to amend the regulations implementing FERPA with the goal
of providing states with flexibility in sharing data in statewide longitudinal
data systems (SLDS) to enhance their effectiveness. In doing so, the Department proposes extensively
widening the scope of nonconsensual disclosure of student data to third
parties. Unfortunately and
notwithstanding the new safeguards the Department proposes, the proposed
amendments do not adequately address data privacy concerns when it comes to
disclosing sensitive student information.

The
purpose of FERPA is to protect the privacy of student education records that
are maintained by educational agencies or institutions who receive funds from
the Department.[3] This is accomplished in-part by restricting
disclosure of personally identifiable information (PII) absent written consent
of either a parent or eligible student except in very limited
circumstances. However, by compiling
increased amounts of student data and allowing greater access to this data, the
potential for misuse and security breach increases. These databases will also hold extreme value
not only for those intending to use the data to improve the education system
(as the NPRM contemplates), but also for parties who seek to profit from the
data and hackers seeking to use it for nefarious purposes such as committing
identity theft.

As
the Department is aware, education records can include much more than test
scores and class standing. They may
include health information, description of physical appearance, family economic
circumstances, ethnic background, political and religious affiliations,
psychological test results, financial information, etc. The information may be fact, such as birth
date or Social Security number, or it may be opinion teachers have expressed
about the student.[4] As such, it is exceedingly important to limit
access to this data goldmine and to allow parents and eligible students as much
control as possible over when, to what extent, and to whom the data is
disclosed.

The
PRC believes that the Department’s proposed amendments to its regulations
implementing FERPA in large part counteract the general purpose of FERPA. However, regardless of its authority to amend
its regulations as such, we are concerned that the proposed amendments pose
potential data privacy problems, do not adequately address necessary privacy
protections, and lack meaningful mechanisms to promote accountability.

III. Response to
Proposed Amendments

A.
Proposed Definition of “Authorized Representative”

The
NPRM proposes to define “authorized representative” as “any entity or
individual designated by a State or local educational authority or agency
headed by an official listed in Section 99.31(a)(3) to conduct—with respect to
Federal or State supported education programs—any audit, evaluation, or compliance
or enforcement activity in connection with Federal legal requirements that
relate to those programs.”[5]

Parental
or eligible student consent is not required to disclose information to
authorized representatives of the Comptroller General of the United States, the
Attorney General of the United States, the Secretary, or State and local
educational authorities.[6] “Authorized representative” is currently
undefined, but since 2003 has been interpreted as a party under the direct
control of an educational authority.[7]
However, due to the fact that the
Department believes the current interpretation is unnecessarily restrictive,
the proposed definition if enacted will widen the scope of what constitutes an
“authorized representative” considerably.

Allowing
non-educational agencies access to students’ PII without requiring parental or
eligible student consent may further the Department’s goal of SLDS efficiency,
however, nothing in the proposed definition of “authorized representative” actually
limits who may be considered as such. Not
only does this seem to counteract the intent of FERPA to protect student
privacy, but it also allows accountability of State or local educational
authorities or agencies (and their authorized representatives) to the
Department to become greatly attenuated.

We
urge the Department to consider how and whether a parent or eligible student
may seek legal action against or recovery from an “authorized representative”
to whom they did not explicitly permit their data to be disclosed. We also
express concern with the general effectiveness of the Department’s limited
enforcement ability under FERPA when it comes to expanded nonconsensual
disclosure of education record data, because the proposed standards are very
limited and there is no reporting mechanism when it comes to the proposed
mandatory written agreements between authorized representatives and a State or
local educational authority.

B.
Proposed Amendment of “What conditions apply to disclosure of information for
Federal or State program purposes?”

1.
Written Agreements

The
NPRM proposes amending § 99.35 of the regulations to require written agreements
between a State or local educational authority or agency and its authorized
representative, other than an employee, to whom it will disclose PII from
education records without consent.[8]
While requiring an agreement would open up the potential for enforcement in the
event that an authorized representative violates a term, the Department has not
articulated how and to whom a breach of such an agreement would be
reported. The Department should consider
how this written agreement requirement may help parents and eligible students recover
if they are adversely affected by such a contractual breach, especially since
FERPA does not provide a private right of action.[9]

The
proposed regulations require agreements to contain certain general provisions. However, the standards are quite vague and
only address establishing policies/procedures to protect the PII from further
disclosure and unauthorized use. As
proposed, these agreements are not necessarily required to include data
security measures, data breach notification, need for independent third party audit,
and reasonable data destruction and/or return practices. We suggest that the Department amend the
proposed rules to create a floor for the requirements in written agreements
with authorized representatives that includes the above so that there is a
tangible way in which to hold authorized representatives accountable.

The
NPRM proposes requiring a State or local educational authority or agency to use
reasonable methods to ensure that any entity designated as its authorized
representative remains compliant with FERPA.[10] The Department is stating that it will not
propose to define “reasonable methods” to provide flexibility, but seeks
comment on what may be considered a reasonable method.

By
providing no binding guidance on reasonable methods, State or local educational
authorities or agencies will not realistically be held accountable to any
meaningful standards, nor will they be able to “ensure” anything. This also raises the question of whether the
State or local educational authorities or agencies will be subject to outside
audits to determine whether they employ such reasonable methods or whether this
will only be determined after FERPA is violated or a complaint is filed and Department
has initiated enforcement proceedings.

3.
Five-Year Prohibition for Improper Redisclosure

The
NPRM states that if the Department’s Family Policy Compliance Office finds that
a state or local authority or agency, or authorized rep, improperly rediscloses
PII in violation of FERPA the educational agency or institution from which the
PII originated will be prohibited from permitting the entity responsible from accessing
the PII for at least five years.[11]
The PRC agrees with the Department that
five years is an appropriate time period for such a violation.

However,
“redisclosure” is the only action that is punishable by this language. Other violations such as those concerning amendment,
accuracy, inspection and review, especially by authorized representatives,
should also be subject to a similar prohibition. Also, we encourage the
Department to consider its ability to prevent any educational agency or
institution, rather than limiting it to the agency or institution whose PII was
improperly redisclosed, from allowing the party in violation access to the education
record data. Parties in violation should
be on a single list accessible to all state or local authorities or agencies
and the general public.

C.
Proposed Definition of “Education Program”

Under
the current regulations, “Authorized representatives of the officials or
agencies listed in § 99.31(a)(3) may have access to education records in
connection with an audit or evaluation of Federal or State supported education programs….”[12] The NPRM proposes defining “education
program” as “any program that is principally engaged in the provision of
education, including, but not limited to, early childhood education, elementary
and secondary education, postsecondary education, special education, job
training, career and technical education, and adult education, regardless of
whether the program is administered by an educational authority.”[13]

The
proposed definition of “education program,” in conjunction with the current
regulations, creates expansive access to education records that again goes
against any intent of FERPA to safeguard the privacy of education records and allow
for nonconsensual disclosure of PII only in extremely limited circumstances.

The
Department should clarify not only to what extent an education program must be
Federal or State supported, but also narrow its proposed definition of
“education program.” For example, it is
very vague to what extent a program must be engaged in the provision of
education in order to be “principally engaged.”
Also, the language “but not limited to” seems to unnecessarily leave the
definition open. Because the proposed
definition is so expansive, it could lead to the compilation of an
unnecessarily rich compilation of data concerning an individual over which both
the individual and the Department have very little control or access to remedy
or enforcement mechanisms.

D. Directory Information

1. Identification Badges

The
NPRM proposes disallowing a parent or eligible student from opting out of
wearing, publicly displaying, or disclosing a student ID card or badge that
exhibits information designated as directory information.[14] The PRC does not necessarily oppose this
proposed amendment to the regulations. However,
we urge the Department to consider how this would affect students who are the
victims of stalking, for example. This
is likely to have the greatest effect on students at postsecondary institutions
where the size of the institution may make it more difficult to restrict
access.

2. Limited Disclosures

The
NPRM proposes allowing educational agencies and institutions to specify in
their annual public notices to parents and students that disclosures of
directory information may be limited to specific parties and for specific
purposes.[15] We
support this proposed amendment, and believe that it will make student
information less likely to be released for marketing purposes, while providing
educational agencies and institutions with more certainty and control in using
directory information for their own purposes.
The suggestion that the agencies and institutions consider
non-disclosure agreements with third parties is also valid, and the PRC would
like to see this become common practice.

E.
Enforcement Procedures with Respect to any Recipient of Department Funds that Students
do not Attend

The
current regulations do not authorize the Family Policy Compliance Office to
investigate, review and process an alleged violation of FERPA that is committed
by recipients of Department funds under a program in which students do not
attend.[16] If the Department is going to expand access
to and disclosure of student data to facilitate efficiency of SLDS, this
provisions seems necessary. However, the
Department should evaluate its ability to expand its enforcement capabilities
under both the existing enforcement mechanisms and FERPA in general.

IV. Conclusion

While
increasing access to data in SLDS will be beneficial to evaluate and improve
education in general, it will also significantly increase the chance that data
in education records is mishandled or breached. In conclusion we are concerned
that the Department has expanded nonconsensual disclosure exceptions under
FERPA to the point where it counteracts FERPA’s intended purpose. We are
further unconvinced that the enhanced enforcement provisions will increase or maintain
accountability when it comes to data security and privacy protection
measures.